Image Repository Security

Understanding Image Names
Common Public Registries
Using a Private Registry
Links and References

In this lesson, you’ll learn how to secure container images by:

Understanding image naming conventions
Working with secure image registries
Configuring Pods to pull from private repositories

Previously, we deployed Pods running web apps, databases, and caches. Let’s begin with a simple Pod definition that uses the official nginx image:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
spec:
  containers:
    - name: nginx
      image: nginx

Understanding Image Names

Docker interprets image: nginx as library/nginx under the hood. The full naming convention is:

[registry]/[user-or-namespace]/[repository]:[tag]

Omit the registry → defaults to Docker Hub (docker.io)
Omit the namespace → defaults to library (the official account)

Specifying:

image: library/nginx

is equivalent to:

image: docker.io/library/nginx

You can also pull from other public registries. For example, Google’s registry hosts Kubernetes test images:

image: gcr.io/kubernetes-e2e-test-images/dnsutils

Common Public Registries

Registry	URL	Use Case
Docker Hub	docker.io	Default public images
Google Artifact Registry	gcr.io	Google-hosted Kubernetes images
Quay.io	quay.io	CI/CD and enterprise images

Using a Private Registry

For in-house applications, you can host your own registry or use a managed solution:

Provider	Link
AWS ECR	https://aws.amazon.com/ecr/
Azure Container Registry	https://azure.microsoft.com/services/container-registry/
Google Artifact Registry	https://cloud.google.com/artifact-registry

To pull from a private registry, follow these steps:

Authenticate locally (for pushing and testing)

docker login private-registry.io
# Username: registry-user
# Password: ********
# WARNING! Your password will be stored unencrypted in ~/.docker/config.json.
# Login Succeeded

Avoid committing ~/.docker/config.json to version control.
Store credentials securely (e.g., using a secrets manager).

Create a Kubernetes Secret of type docker-registry so worker nodes can pull the image:

kubectl create secret docker-registry regcred \
  --docker-server=private-registry.io \
  --docker-username=registry-user \
  --docker-password=registry-password \
  [email protected]

Reference the Secret in your Pod spec under imagePullSecrets:

apiVersion: v1
kind: Pod
metadata:
  name: internal-app-pod
spec:
  containers:
    - name: internal-app
      image: private-registry.io/apps/internal-app
  imagePullSecrets:
    - name: regcred

When this Pod is scheduled, the kubelet uses the Secret to authenticate and pull the private image.

Links and References

Watch Video

Practice Lab

Supply Chain Security Scan images for known vulnerabilities

Observability Overview

⌘I

Introduction

Overview of Cloud Native Security

Kubernetes Cluster Component Security

Kubernetes Security Fundamentals

Kubernetes Threat Model

Platform Security

Compliance and Security Frameworks

Image Repository Security

Understanding Image Names

Common Public Registries

Using a Private Registry

Links and References

Watch Video

Practice Lab

Introduction

Overview of Cloud Native Security

Kubernetes Cluster Component Security

Kubernetes Security Fundamentals

Kubernetes Threat Model

Platform Security

Compliance and Security Frameworks

​Understanding Image Names

​Common Public Registries

​Using a Private Registry

​Links and References

Watch Video

Practice Lab

Understanding Image Names

Common Public Registries

Using a Private Registry

Links and References